|
IBM Neutral on Passport vs. Liberty Security Efforts for Now
by Kristin Palitza
IBM will not take a stance on the application security efforts of Microsoft's Passport technology and Sun Microsystems' Liberty Alliance Project--at least for the moment. IBM says it will wait until one or the other matures. It will take at least another few months until Passport and Liberty are far enough evolved for IBM to decide which one it wants to go with, said Arvind Krishna, vice president of security products for IBM's Tivoli division, at the company's Web Services Day last week.
Krishna further explained that IBM might as well opt to support both efforts. "We don't like to take sides. It doesn't have to be the one or the other," Krishna said.
The Liberty Alliance is a group Sun established together with dozens of partners from the high-tech, financial, automotive, and travel industries to create an interoperable standard for network identity. Charter members include Bank of America, i2 Technologies, General Motors, RSA Security, Entrust Technologies, American Airlines, and VeriSign, among others. Liberty competes with the Passport authentication technology, which is part of Microsoft's .NET initiative. Although both groups persistently talk about eventual interoperability between Passport and Liberty technologies, there are currently no signs of collaboration.
Both efforts are lacking in core criteria that would be necessary to gain IBM's full support, Krishna explained. The Liberty Alliance only recently made public what security technologies it will subscribe to (Liberty says it plans to release its first specification this summer), whereas Passport is not an open standard but Microsoft's proprietary tool. Passport will have to become part of the federated identities endeavor for IBM to consider supporting it, Krishna said. Through federated identities, online customers have a mechanism for forwarding trusted identity information when logging onto different Web sites that would normally require multiple IDs.
"Microsoft is under a tremendous amount of pressure. They have got to be standards-based to do mission-critical work, because the world is heterogeneous," said Robert Sutor, IBM director of e-business standards strategy. He stressed the fact that every technology vendor has to make sure its products can interoperate with other products to play a leading role in the IT market. "Everybody is under the same type of pressure--no matter if its Microsoft, Oracle, Sun, or IBM," Sutor said.
Although IBM claims to be neutral on Passport versus Liberty, it seems to slightly favor the Microsoft team. IBM is already said to be playing a role in Microsoft Passport announcements later this year, but it is not a member of Liberty. "We are moving forward with pragmatism. Liberty is just one corner of what is happening regarding Web services security," IBM said. IBM recently strengthened its ties with Redmond, Washington, based Microsoft when the two giants jointly founded the Web Services Interoperability Organization, in early February, to promote Web services interoperability across all systems. IBM decided to cofound WS-I because "Web services standards and technologies enable interoperability, but they don't guarantee it," said Sutor. WS-I aims to deliver profiles, best practices, scenarios, as well as software and materials testing for Web services interoperability. The group started on February 9 with nine founders and only one month later it has received 450 inquiries from those interested in joining, Sutor said.
While waiting for Passport and Liberty to progress, IBM is investing in its own security standards development. It is working on prototypes of its alphaWorks site, where developers can download emerging alpha-code technologies at a very early development stage. IBM currently has three Web services-related security protocols on its site, including XML Encryption Syntax, XML Digital Signature, and XML Access Control. Technologies that appear on alphaWorks are usually part of the next Tivoli release, IBM's security management products, Krishna said. It generally takes between six and 12 months for an alpha version to become a product.
How to secure Web services is the biggest issue for developers right now. They spent a long time figuring out how to connect Web services and eventually created the SOAP, WSDL, UDDI, and XML schema. They are just in the beginning of the second phase of Web services development, creating tools for security and reliability. Some efforts are under way, including Security Assertion Markup Language, eXtensible Access Control Markup Language, XML digital signatures, XML encryption, and HTTP-R. Afterward, developers will have to tackle thresholds, such as Web services provisioning, transactions, workflow, and systems management. Web services technology is still in an early stage.
Krishna named five layers of Web services security that IBM is working on in some form: authentication and identity; authorization; confidentiality; integrity; and non-repudiation. To guarantee confidentiality, IBM and Microsoft submitted a SOAP security standard to the World Wide Web Consortium, for example. IBM also partnered last month with security-software developer VeriSign to provide managed public key infrastructure services and to promote the Security Assertion Markup Language and the XML Key Management Specification, which is aimed at validating certificates before signing. IBM plans to use SAML and XKMS within its Tivoli Policy Director.
Another major challenge will be to scale Web services security mechanisms, like authorization, for instance, Krishna said. Companies will have to publish policies for each Web service they provide, but since all Web services will be interoperable, Web services policies will have to be reconciled--a difficult and arduous task.
|
